Unable to trigger playbook when case is set to notify

Question

I need to trigger playbook when an analyst changes stage to notify. I used custom trigger with [case.stage]=Notify but it does not run the playbook. Request assistance how can it be acived. TIA

AnimSparrow · Answer

Hi, as far as I know, playbook triggers only fire when an alert or case is created. For your requirements, a Job Scheduler would be the best approach. It can poll every X minutes to check for open cases with specific tags, stage or context values.

I’ve managed to find a workaround for the common limitation regarding applying playbooks via Jobs. Below is an example of how to achieve this using the IDE. Depending on your coding experience, the logic essentially boils down to two steps:

Retrieving the Alert Identifier for the target case.
Attaching the Playbook (Workflow) to that specific alert.

The code below might need some minor adjustments for your environment, but it illustrates the core logic.

to reference to

from SiemplifyJob import SiemplifyJob
from SiemplifyUtils import output_handler
from GoogleSOARManager import GoogleSOARManager

# Target Playbook Name
PLAYBOOK_NAME = "YOUR PLAYBOOK NAME"

@output_handler
def main():
    siemplify = SiemplifyJob()
    siemplify.script_name = "AttachPlaybookByStageJob"
    logger = siemplify.LOGGER

    environment = "XXX" # CHANGE TO YOURS ENVIRONMENT

    try:
        GSM = GoogleSOARManager(siemplify, environment)

        logger.info("Retrieving open cases from SOAR...")

        # RETRIVING ALL OPEN CASES
        open_case_ids = GSM.get_cases(
            case_closed=False,
            days_backwards=1, # HOW MANY DAYS TO CHECK BACKWARDS
            stages="Notify"   #  IF USED AS A STAGE, IF AS A CONTEXT VALUE - ADJUST IT HERE
        )

        if not open_case_ids:
            logger.info("No open cases with stage 'Notify' found.")
            siemplify.end_script()
            return

        # DOWNLOADING CASE DETAILS TO FIND ALERT ID (ALL PLAYBOOKS WORKS ONLY ON ALERTS - NOT ON CASES)
        case_details = GSM.fetch_case_details(open_case_ids)

        for case_id, details in case_details.items():
            try:
                # FETCH ALERT NEEDED BY METHOD attach_workflow_to_case)
                alerts = details.get('cyber_alerts', [])

                if alerts:
                    target_alert = alerts[0]
                    alert_identifier = target_alert.get('identifier')

                    logger.info(f"Attempting to attach '{PLAYBOOK_NAME}' to case {case_id}")

                    # ADD PLAYBOOK FUNCTION
                    siemplify.attach_workflow_to_case(
                        PLAYBOOK_NAME,
                        cyber_case_id=int(case_id),
                        indicator_identifier=alert_identifier
                    )

                    logger.info(f"Playbook successfully attached to case {case_id}")
                else:
                    logger.warning(f"No alerts found for case {case_id}. Skipping.")

            except Exception as e:
                logger.error(f"Error processing case {case_id}: {str(e)}")

    except Exception as e:
        logger.error(f"General error: {str(e)}")

    siemplify.end_script()

if __name__ == "__main__":
    main()

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded